Security should be built-in, not bolt-on. Security should never be an afterthought. Secure by design, secure by default these and more have become mantra, at least in information security circles. It is clear that technology, infrastructure and services initially designed for ease-of-use, maximum compatibility or openness will appear to be constrained by the security team after the event.
A notion that has been rolling around in the sometimes preternaturally silent caverns of my cranium for a while now, and something I have brought up on the last couple of panels I have sat on, is “Are we insisting hard enough?” This is not a security issue; this is a business issue.
If “secure by design” is the ideal state, why is it that we continue to have a bolt-on Information Security function? Information Security should be embedded in the enterprise structure; a business secure by design.
Another truism is that security professionals “need to learn to speak the language of business” and I have heard many security professionals express that same desire. It is equally true that business needs to learn to speak the language of security.
Every successful breach relies on a vulnerability, but there is still a disproportionate focus on vulnerabilities in code or configuration, rather than in process or people. Frequently it is simply the way that we do something, rather than the tools that we use, that enables an attacker to gain a foothold in our enterprises. Yet we still focus on patch and vulnerability management instead of embedding security in business processes.
Some more forward-looking organisations may already be exploring the concept of “security champions” or “security ambassadors” as a component of their security awareness program, but we can and should go further. The Information Security team should be distributed and embedded throughout the organisation, empowered security experts within each business function who carry that responsibility. Our business needs to be secure by design.
Meet your new InfoSec Team
The Human Resources team, Sales, Marketing, Research & Development, Finance, whatever is relevant to your enterprise; each of these need a full-time security specialist with direct impact on departmental strategy and governance, procurement, third-party management, manufacturing, design, communications and more. Each of these reporting to the CIO/CISO with a dotted line to their own departmental heads. This is your new Information Security Team
The most obvious counter argument to this kind of structure is, of course, cost. The prospect of finding the cash to fund an extra head in every department is alarming at face value, but the more you consider how this approach translates to your own enterprise, the more attractive it becomes. It is not always an extra resource, often a redistributed one; the Information Security diaspora. This individual is a security expert, but also a full-time member of their respective team with a clear understanding of the goals, the roadmap, legislation and regulation, business requirements and drivers of that part of your business. They understand the use cases and respective urgency of technology requirements and are able to correlate the business need and the security “bigger picture”. Your embedded security resource learns new skills themselves from their departmental peers and also passes on their own security culture. Your distributed team simplifies the security audit, training, incident reporting and enhances customer experience, both internal and external.
No more marketing emails that ask your customers to “click a link to update their details”, no more ad-hoc appointment of third-party suppliers with inadequate security, no more public-facing web-servers vulnerable to SQL injections, no more shadow IT. No more.
Unparalleled visibility, integration and control, continuous education and improvement, and security embedded in every aspect of the business. Information Security is no longer the Department of No, it becomes the Department of How.
The more this architecture is adopted by leading businesses, the more secure we will make our inter-corporate communications and projects, as well. Security will find its counterpart in every partnership, you are building a secure physical API for the enterprise.